[Secure-testing-team] [Secure-testing-commits] r12708 - data/CVE
Michael S Gilbert
michael.s.gilbert at gmail.com
Sun Aug 30 21:48:34 UTC 2009
On Sun, 30 Aug 2009 19:57:47 +0200 Moritz Muehlenhoff wrote:
> On Sun, Aug 30, 2009 at 05:09:16PM +0000, Michael Gilbert wrote:
> > Author: gilbert-guest
> > Date: 2009-08-30 17:09:16 +0000 (Sun, 30 Aug 2009)
> > New Revision: 12708
> >
> > Modified:
> > data/CVE/list
> > Log:
> > beginning of embedded code copies triage (5 down 395 to go)
> >
> > + - xulrunner <unfixed>
> > + NOTE: libpng code copy present in xulrunner [./modules/libimg/png/*] and possibly [./gfx/cairo/cairo/*]
>
> You should check whether the code is actually compiled in.
> xulrunner links dynamically against libpng, so it is not affected.
>
> There's no reason to track such embeddings in the security tracker,
> since it's very common that the source packages still contain the
> local code copies even if they're not used anymore.
fyi, here is the output of ldd for xulrunner 1.9.0.13:
$ ldd /usr/lib/xulrunner-1.9.1/xulrunner-bin
linux-vdso.so.1 => (0x00007fff6db23000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00007f745ae3f000)
libxpcom.so => not found
libxul.so => not found
libplc4.so.0d => /usr/lib/libplc4.so.0d (0x00007f745ac3b000)
libnspr4.so.0d => /usr/lib/libnspr4.so.0d (0x00007f745a9fe000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f745a6f0000)
libc.so.6 => /lib/libc.so.6 (0x00007f745a39f000)
/lib64/ld-linux-x86-64.so.2 (0x00007f745b05a000)
libdl.so.2 => /lib/libdl.so.2 (0x00007f745a19b000)
libm.so.6 => /lib/libm.so.6 (0x00007f7459f18000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007f7459cfe000)
it is thus evidently clear that xulrunner is *not* using the system copy
of libpng, so my tracking is indeed correct.
mike
More information about the Secure-testing-team
mailing list